| Description:
|
Details
Dodgy
This is a very dangerous memory resident stealth boot virus. It occupies two sectors, so the virus length is 1024 (400h) bytes. It infects the MBR of the hard drive and boot sector of floppy disks. While infecting the hard drive the virus saves the original MBR sector and the rest of its code to the sectors on the first track/zero head starting from sector 14. Usually that space is not occupied by any programs/data. While infecting floppy disks the virus saves original boot sector and its code to the last sectors of root directory.
While loading from infected disk the virus decreases the size of system memory by using the word at address 0:0413h, copies itself to there, hooks INT 8, 13h, 40h and calls bootstrap loader (reboots the system). Being already installed, the virus runs its stealth engine. As a result bootstrap loader will read original boot/MBR sector instead of infected one, and virus code will not receive control and the virus will not install itself twice to the system memory. While installing the virus also accessed the MBR of the hard drive - the virus INT 13h handler intercepts that call and infects the MBR, if it is not infected yet.
While infecting the MBR the virus uses several tricks to avoid detection by BIOS anti-virus protection - the virus modifies necessary fields in the CMOS and stuffs the 'Y' key to keyboard buffer before writing to the MBR.
The virus uses INT 13h, 40h hooks to run its infection and stealth routines while reading/writing to/from floppy disks and the hard drive. By hooking INT 8 (timer) the virus intercepts DOS loading process - the virus looks for low memory area and scans it for "PEC=" text, that is the rest of "COMSPEC=" string placed in DOS programs environment blocks. If this string is found, the virus hooks DOS interrupts INT 21h, 2Fh, increases (i.e. restores) the size of system memory (the word at the address 0:0413h) and disables its INT 8 handler.
By hooking INT 21h the virus intercepts programs execution, checks their names. If a program with name RAV* is executed, the virus calls its trigger routine (see below). The virus does not calls this trigger routine under Windows, in this case the virus runs it when Windows is exiting (the virus intercepts it by INT 2Fh hook).
By hooking INT 2Fh the virus intercepts Windows installation, gets Windows' directory and deletes the SYSTEMIOSUBSYSHSFLOP.PDR in there. When Windows exits, the virus jumps to its trigger routine, if there was RAV* file executed during Windows seance.
In three months after infecting a disk the virus manifests itself by a trigger routine: it turns computer to graphic video mode, displays a message, disables the keyboard and erases sectors on the hard drive. The message is:
RAVage is wiping data! RP&muRphy |
